Grok regex with escaped "[", "]", "(", and ")" chars doesn't work


Elastic newbie here - working with a new 5.5 install. I have a log line that looks like so:
[2015/10/01@19:48:22.785-0400] P-4780 T-2208 I DBUTIL : (451) prostrct create session begin for timk519 on CON:.

I have the following regex:

When I try it in the kibana grok debugger it doesn't work and I get the following error:
GrokDebugger: [parse_exception] [pattern_definitions] property isn't a map, but of type [java.lang.String], with { header={ processor_type="grok" & property_name="pattern_definitions" } }

This regex works if I remove the [ and ] from the regex and the log line. I've tried doing single, double, and triple escape on the [ and ] - to no avail.

I was able to escape the () around the msgnum tag which leaves me puzzled why escaping the [ ] characters doesn't work.

What am I missing?


This hack works -

I added a "." after the {4}) to get past the ] - and it looks like so:


I'd prefer a solution which is explicit about the [ and ].


This also works - add a "." as the leading char, and add a ] to capture the trailing ].


I get the impression the regex processor doesn't like a leading [ or \[

Well isn't that interesting - the editor a interpreting a \ as an escape character and only showing the next character...


This pattern works in grok debut test in kibana, yet fails in production:


The problem is the escaped "(" and ")" used to extract the msgnum number.



turns out the {DATE} was the incorrect format in that it only had a 2-digit year while the log had a 4 digit year. Once that was changed to a custom format that matched the 4 digit year in the log date everything behaved normally.

(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.